120 likes | 314 Views
SQL Injection Primer. By Nicole Gray, Cliff McCullough, Joe Hernandez. Agenda. Overview of SQL Injection Elaboration Detection Prevention Wrap-up. Vulnerability. Input access to a database Outsider Exploit Insider Exploit Trust no one. Relational Database. Example Exploit.
E N D
SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez
Agenda • Overview of SQL Injection • Elaboration • Detection • Prevention • Wrap-up
Vulnerability • Input access to a database • Outsider Exploit • Insider Exploit • Trust no one
Google Hacking Use the Google search engine to identify information or web sites with poor security practices Advanced Operators aid the search Intitle: - restricts the search to text in the title of the page Ex. intitle: SQL allintitle: - similar to intitle operator, allows concatenation of key words in title search Ex. allintitle: SQL Password (is the same as intitle: SQL intitle: Password) inurl:, allinurl: - will search for keywords in the URL Ex. inurl: login.aspx site: - will narrow the search a specific site or domain like uccs.edu or .gov Ex. site:.uccs.edu filetype: - used to search for a specific file like doc, php,cgi, or aspx Ex. filetype:aspx (do not use dot operator to identify the file type, like .doc) intext: - will identify keywords in the text of the webpage Ex. intext: SQL Injection http://johnny.ihackstuff.com/ghdb/
Types of SQL Injection • Three types • Inband: same user interface i.e. webpage • Out-of-band: different communications channel i.e. e-mail • Inferential: can’t see the results of injection i.e. blind SQL injection • Error Based – asking the database questions • a‘ or ‘a’ = ‘a • Answer may be returned as an error • Union Based – combines the results of two SQL statements • SELECT * from lastname UNION SELECT * from office • Blind – asks the database true and false questions may not see specific results • Interrupt or deduce results • Game of 20 questions
SQL Injection Tools • SQL Map* is a tool that aids in the fingerprinting of a backend database • SQL Ninja* http://sqlninja.sourceforge.net/ • Aids in the exploitation of SQL injection vulnerabilities can provide root level command access to system • Automagic SQL Injector* • Designed to work with generic installation of MS SQL • http://scoobygang.org/magicsql/ • Videos on SQL injection can be found on the internet one great source • http://securitytube.net/ *Source: EC Council Certified Ethical Hacker Volume 3 Chapter 19
Detection • Application layer firewalls • Inspects each packet, decides to pass or reject • Easier to update firewall rules than update application program code • Intrusion Detection System (IDS) • Network-based, Systems-based, Host-based • Compares packets to known signatures
Prevention • Mitigate the risk • Review web applications, program code, and back-end system design • SQL queries should be parameterized or stored procedures • Validate user input
Prevention continued • Restrict privileges • White lists and black lists
Wrap-up • SQL Injection is increasing in prevalence • Not possible to absolutely defend against all possible attacks • Risk of attack can be reduced: • Maintain firewalls, intrusion detection / prevention systems • Manage access to queries through parameterization and stored procedures • Always validate user input • Restrict accounts • Use whitelists and blacklists.